Business Associate Agreement
Last Revision: June 2026
This Business Associate Agreement (the “BAA”) is entered into by and between the applicable MedMe entity (“Business Associate”) and the customer (“Customer”) that are parties to MedMe’s software-as-a-service agreement currently available at https://www.medmehealth.com/saas-agreement, as may be updated from time to time (the “Agreement”) (each a “Party” and collectively the “Parties”). The Business Associate is either: (i) MedMe Health US, Inc., a corporation incorporated under the laws of the State of Delaware; or (ii) MedMe Health Limited, a corporation incorporated under the laws of the Province of Ontario, as identified in the Agreement.
This BAA is incorporated into and forms part of the Agreement. In the event of any conflict between this BAA and the Agreement with respect to the subject matter hereof, this BAA shall control.
BACKGROUND
I.Customer is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1986, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the privacy and security of Protected Health Information (as defined below);
II.The Parties have entered into the Agreement under which Business Associate provides or will provide certain specified services to Customer;
III.In providing services pursuant to the Agreement (the “Services”), Business Associate may have access to Protected Health Information;
IV.By providing the Services and creating, receiving, maintaining, accessing, or otherwise handling PHI in connection therewith, Business Associate will become a “business associate” of the Customer as such term is defined under HIPAA;
V.Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the Agreement, HIPAA and other applicable laws.
AGREEMENT
NOW, THEREFORE, in consideration of the mutual terms and conditions contained herein and the continued provision of PHI by Customer to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:
1. Definitions
For the purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used but not otherwise defined in this BAA has the meaning given to that term in HIPAA.
A.“Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
B.“De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
C.“Effective Date” refers to the date the Customer accepts this BAA electronically as part of the account registration process.
D.“HHS” means the U.S. Department of Health and Human Services.
E.“HITECH Act” means the Health Information Technology for Economic and Clinical Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
F.“Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
G.“Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of the Customer.
H.“Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
2. Use and Disclosure of PHI
A.Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the Services, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by applicable law.
B.Except as otherwise limited by this BAA or federal or state law, Customer authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for the proper management and administration of its business, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party, and (b) an agreement from this third party to notify Business Associate immediately of any Breach or unauthorized use or disclosure of the PHI, to the extent it has knowledge of the breach.
C.Business Associate may use PHI in its possession to perform Data Aggregation Services and is permitted to de-identify (in accordance with 45 CFR § 164.514) PHI in its possession and use such de-identified information for any lawful purpose.
D.Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified as 42 USC § 17935(b)) and any of the Act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
E.Customer is responsible for ensuring that PHI shared with Business Associate complies with all applicable laws and regulations. Business Associate shall not be liable for unauthorized PHI disclosures resulting from Customer’s actions, omissions, or failure to implement appropriate safeguards.
F.Upon request, Business Associate will make available to Customer any of Customer’s PHI that Business Associate or any of its agents or subcontractors have in their possession.
G.Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 CFR §164.502(d)(j)(1).
3. Safeguards Against Misuse of PHI
Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Customer. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
4. Reporting Disclosures of PHI and Security Incidents
Business Associate will report to Customer in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Customer any Security Incident affecting Electronic PHI of Customer of which it becomes aware. Business Associate agrees to report any such event without unreasonable delay and in no case later than 60 calendar days after becoming aware of the event. This Section constitutes notice by Business Associate to Customer of the ongoing occurrence of attempted Unsuccessful Security Incidents for which no additional notice to Customer shall be required. “Unsuccessful Security Incidents” means pings and other broadcast attacks or reconnaissance scans on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and any combination of the above, so long as no such incident results in any Breach of ePHI or access, Use, or Disclosure of ePHI in violation of this Agreement.
5. Reporting Breaches of Unsecured PHI
A.Business Associate will notify Customer in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR § 164.410, without unreasonable delay and in no case later than 60 calendar days after the discovery of a Breach.
B.Business Associate is not responsible for breaches occurring due to actions or omissions of Customer, its employees, or third-party vendors, including but not limited to external software providers, hosting services, and data processors integrated by Customer.
C.Where Customer is a business associate of a covered entity, MedMe’s obligations under this Section are satisfied upon notification to Customer. Customer bears sole responsibility for any upstream notification to the applicable covered entity required by applicable law or Customer’s own business associate agreement with its covered entity client.
6. Mitigation of Disclosures of PHI
Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.
7. Agreements with Agents or Subcontractors
Business Associate will ensure that any of its subcontractors that have access to, or to which Business Associate provides, PHI agree to restrictions and conditions no less protective than those contained in this BAA concerning uses and disclosures of PHI and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Customer.
8. Access to PHI by Individuals
A.Upon request, Business Associate agrees to furnish Customer with copies of the PHI maintained by Business Associate in a Designated Record Set within a reasonable time following Customer’s request, and in any event within the timeframe necessary to enable Customer or its covered entity client, as applicable, to respond to an Individual’s request for access to PHI under 45 CFR §164.524. To the extent such PHI is maintained electronically, Business Associate shall provide such PHI in the electronic form and format requested by the Individual, if readily producible, or in a readable electronic form and format as agreed upon by the parties.
B.In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate will forward that request to Customer. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Customer.
9. Amendment of PHI
A.Upon request from Customer, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Customer in accordance with procedures established by 45 CFR §164.526.
B.In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate will forward this request to Customer and shall take no action on such request without Customer’s prior written instruction. All decisions regarding amendment or non-amendment of PHI requested by an Individual, and compliance with 45 CFR § 164.526, shall be the sole responsibility of Customer.
10. Accounting of Disclosures
A.Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate will furnish to Customer information collected in accordance with this Section 10 upon written request by Customer, to permit Customer to make an accounting of disclosures as required by 45 CFR §164.528. In the event that Customer elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request by the Individual, if and to the extent that such accounting is required under the HITECH Act or under any HHS regulations adopted in connection with the HITECH Act.
B.In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will forward such request to Customer.
11. Availability of Books and Records
Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Customer’s and Business Associate’s compliance with HIPAA, and this BAA.
12. Responsibilities of Customer
With regard to the use and/or disclosure of Protected Health Information by Business Associate, Customer agrees to:
A.If Customer is a covered entity, notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. If Customer is a business associate, notify Business Associate of any similar restrictions imposed by Customer’s covered entity client that may affect Business Associate’s use or disclosure of PHI.
B.Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI, including, if Customer is a business associate, any such changes or revocations communicated to Customer by its covered entity client.
C.Notify Business Associate of any restriction to the use or disclosure of PHI under 45 CFR §164.522 to the extent that such restriction may affect Business Associate’s use or disclosure of PHI including, if Customer is a business associate, any restrictions communicated to Customer by its covered entity client.
D.Except for data aggregation or management and administrative activities of Business Associate as permitted under this BAA, not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by a covered entity.
13. Term and Termination
A.This Agreement shall be effective as of the Effective Date and for so long as the Business Associate provides the Services to the Customer.
B.Customer may terminate this BAA, the Agreement, and any other related agreements if Customer makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Customer’s reasonable satisfaction, within 30 days after written notice from Customer. Customer may report the problem to the Secretary of HHS if termination is not feasible.
C.Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate on behalf of Customer will be returned to Customer or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s subcontractors. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Customer with notification, in writing, of the conditions that make return or destruction infeasible and Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 13.C. will survive any termination of this BAA.
14. Effect of BAA
A.This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.
B.Except as expressly stated in this BA or as provided by law, this BAA will not create any rights in favor of any third party.
15. Regulatory References
A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
16. Interpretation
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the covered entity to comply with the HIPAA Rules.
17. Governing Law
This BAA shall be governed by and construed in accordance with federal law, including HIPAA and the HITECH Act, and to the extent not preempted by federal law, the laws of the state set out in the Agreement, without regard to its conflicts of law principles.
18. Notices
All notices, requests and demands or other communications to be given under this BAA to a Party will be made via electronic mail to the Party’s email address provided below:
A.If to Customer, to: the email address provided during account registration. Customer is responsible for keeping its contact information updated.
B.If to Business Associate, to: Email: legal@medmehealth.com
19. Amendments and Waiver
This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
20. HITECH Act Compliance
The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective.
21. Indemnification
A.Business Associate shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or in connection with any material breach of this BAA by Business Associate with respect to its obligations relating to Protected Health Information, including but not limited to any Breach of Unsecured PHI caused by Business Associate’s acts or omissions.
B.Customer shall indemnify, defend, and hold harmless Business Associate and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or in connection with any breach of this BAA by Customer, including any claim arising from (i) Customer’s failure to comply with HIPAA and, if Customer is a business associate, any obligations under Customer’s agreement with its covered entity client, to the extent such failure affects Business Associate, (ii) failure to obtain any necessary consents or authorizations, (iii) Customer’s instructions to Business Associate or use of the Services in violation of this BAA or applicable law, and if Customer is a business associate, violation of Customer’s agreement with its covered entity client, and (iv) if Customer is a business associate, any claim by Customer’s covered entity client arising from Customer’s breach of its obligations to such covered entity client to the extent such claim is asserted against Business Associate.
C.The indemnification obligations in this Section 21 are subject to the limitations of liability set forth in Section 22 and the Agreement.
22. Limitation of Liability
Notwithstanding any other provision of this BAA, including the indemnification obligations set forth in Section 21, the aggregate liability of either Party arising out of or related to this BAA, whether in contract, tort, or otherwise, shall in all cases be subject to the limitations of liability, exclusions, and caps set forth in the Agreement, which are incorporated herein by reference. Nothing in this BAA shall be construed to expand either Party’s liability beyond the limits established in the Agreement.
By checking the box indicating acceptance of this BAA during the account registration process, the Customer acknowledges and agrees to the terms of this Business Associate Agreement.
This acceptance constitutes a legally binding agreement under the Electronic Signatures in Global and National Commerce Act (ESIGN Act) and applicable state laws governing electronic contracts. No physical signature is required.